Secure? Samba over internet

Florian G. Pflug fgp at
Wed Jan 13 14:50:14 GMT 1999

On Wed, Jan 13, 1999 at 11:53:34PM +1100, Chris Watt wrote:
> 1. If the ISP suddenly re-assigned Joe's IP address to one of their own
> machines, would the postexec command be called and cut them off before they
> could access Joe's files? Or would it have to wait until deadtime (or some
> other timeout) killed Joe's inactive connection?
If they are smb-experts yes - otherwise not, I think

> 2. Is it possible that they (or somebody in between) could establish a
> connection without breaking Joe's connection?
again, if they are smb-experts, someone could hijack the connection (has
been done for telnet - so tcp-connections can be hijacked, udp ist even
easier, I think)

> 3. Can you think of any way to fake an access request message without
> physical access to Joe's PC and his passphrase?
Well.. If your scripts are safe, your script-interpreters are safe (no
buffer overflows...), your os is safe then No. 
You can of course never be sure, but your approach seems quite safe.

> 4. Can you think of a practical way to better automate the connection
> process so that when the server has created the accept rule for Joe's IP it
> will also do something to cause Joe's PC to realise that the process is
> complete and it can now connect?

> 5. Does this system have blatantly obvious weak points that I've totally
> missed?
Apart from hijacking, ist (quite) easy to record every byte that joe
transfers, sice smb ist not encrypted

> 6. Is there a simpler way to achieve the same basic effects (i.e.
> establishing secure one-time samba access from an arbitrary IP address)?
I have no 

> 6. Is it reasonable to assume that (unless the machine is rebooted, which
> would clear the firewall rules anyway) the postexec line is certain to
> execute at some point? Or would it be a good safety precaution to run a
> cron job to remove all the rules that could have been created by this
> process on a regular basis?
Would be a good idean - I case, samba crahsed, or whatever - better paranoid
then hacken :-)

> 7. What problems might I encounter vis-a-vie NetBIOS and DNS? (Yes, save
> the worst for last ;) I'd _guess_ that this would not be a problem, as "net
> view \\$SERVER_IP" seems to work just fine on M$ systems which are allowed
> to communicate with the server, and with any luck the server does not
> actually need to know the netbios name that the client thinks it has or be
> able to resolve that to an ip with dns. . . Right?
> Failing that assumption, can anyone think of a slick way to tell samba that
> $IP_FROM_EMAIL is JoesBox without restarting samba? (bringing up questions
> about when/how lmhosts is used. . .)

If joes´s pc runs linux (or if he has a linux-router for his modem), You
could make a virtual connection over the internet. An example ist to use 
ssh (encrypted telnet, or betther encrypted rsh) let ppp run "over" ssh.

This gives you an encrypted, virutal connection. If you do it right, joe´s
pc at home looks like a host behing a route for the pc´s in the office.
Maybe this also solves 7) ???

                                                 Greetings, FLorian Pflug

More information about the samba mailing list